SASL mechanisms

SASL mechanism name
Document Reference
ANONYMOUS Anonymous SASL Mechanism RFC 2245 Chris Newman <>
PLAIN Plain login mechanism (single step) RFC 2595 Chris Newman <>
LOGIN Plain login mechanism (two step)
No specification exists
Mark Crispin <MRC@CAC.Washington.EDU>
CRAM-MD5 Challenge-Response Authentication Mechanism RFC 2195 John C. Klensin <>,

Randy Catoe <>,

Paul Krumviede <>

    Revision of CRAM-MD5 draft-nerenberg-sasl-crammd5-01.txt Editor - Lyndon Nerenberg <>
OTP The One-Time-Password SASL Mechanism RFC 2444 Chris Newman <>
PASSDSS-3DES-1 DSS Secured Password Authentication Mechanism draft-newman-sasl-passdss-01.txt Chris Newman <>
SCRAM-MD5 Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-03.txt Chris Newman <>
DIGEST-MD5 Digest Authentication as a SASL Mechanism RFC 2831 Paul Leach <>,

Chris Newman <>

    AES cipher for DIGEST-MD5 draft-melnikov-sasl-digest-aes-00.txt Alexey Melnikov <>


SASL GSSAPI mechanisms:

GSSAPI is for Kerberos V5 GSSAPI

GSS-algorithm is for GSSAPI algorithm, other than Kerberos V5


Updates GSSAPI definition in RFC 2222

John G. Myers <>
KERBEROS_V4 Kerberos V4 RFC 2222 John G. Myers <>
SKEY S/KEY (defined in RFC 1760) One-Time-Password SASL that uses MD4 digest algorithm. 

Obsoleted by OTP

RFC 2222 John G. Myers <>
EXTERNAL Mechanism that verifies (PPP, IPSec, SSL/TLS, ) RFC 2222

Revision in draft-myers-saslrev-01.txt

John G. Myers <>



X.509 Authentication SASL Mechanisms:
  • "X509-C-<algorithm>" for client authentication only  
  • "X509-S-<algorithm>" for server authentication only  
  • "X509-B-<algorithm>" for client and server authentication. In this case client authentication is done prior to server authentication. 
draft-ietf-ldapext-x509-sasl-03.txt Steve Kille <>
ROAMING-ELGAMAL ROAMING-ELGAMAL SASL Authentication Mechanism draft-overell-roaming-elgamal-sasl-00.txt P. Overell <>
SECURID The SecurID(r) SASL Mechanism RFC 2808 Magnus Nystrom <>,

John Brainard <>

Secure Remote Password SASL Mechanism
draft-burdis-cat-srp-sasl-06.txt K.R. Burdis <>,

R. Naffah <>



ISO/IEC 9798-3 Authentication SASL Mechanism.

  • "9798-U-<algorithm>" for unilateral client authentication.
  • "9798-M-<algorithm>" for mutual authentication.
Currently defined <algorithm>s:
  • DSA-SHA1
RFC 3163 Robert Zuccherato <>

Magnus Nystrom <>

SM2-<SASL-mechanism-name> SM2 -- A Session Management Capable SASL Mechanism draft-naffah-cat-sasl-sm2-01.txt David Taylor <>

Raif S. Naffah <>

NTLM Proprietary Microsoft authentication mechanism   Registered by Paul Leach <>
NMAS_LOGIN, NMAS_AUTHEN ?   Registered by Mark G. Gayman <>


SASL profiles
Document Reference
SMTP RFC 2554 John G. Myers <>
POP3 RFC 1734 John G. Myers <>
IMAP4 RFC 2060
(see AUTHENTICATE command)
M. Crispin <MRC@CAC.Washington.EDU>
ACAP RFC 2244 Chris Newman <>,
John G. Myers <>
BEEP RFC 3080 Marshall T. Rose <>
LDAP LDAPv3 (RFC 2251) Mark Wahl <>,
Tim Howes 
Steve Kille  <>
Authentication Methods for LDAP (RFC 2829) M. Wahl <>
H. Alvestrand <>
J. Hodges <>
R. Morgan <>
NNTP Draft expired Chris Newman <>
Telnet Draft expired Chris Newman <>
HTTP draft-nystrom-http-sasl-02.txt    Magnus Nystrom <>

   Alexey Melnikov <>

   Robert Zuccherato <>

HTTP (alternative proposal) draft-burdis-http-sasl-00.html K.R. Burdis <>



Document Reference
Java draft-weltman-java-sasl-04.txt Rob Weltman <>

Rosanna Lee <>

Please, don't send general questions like "What is SASL?" to authors of SASL mechanism documents.
They are busy people.

I want to see IETF standard related pages

If you want to add/update information, send me email

List composed by Alexey Melnikov. Feel free to send me comments, corrections and additions to this list.
Information published on this page is for developers use only. It is prohibited to use this information for commercial purposes.

Last updated 29 April 2002

Thank you to Claus Assmann <ca at> for hosting my technical pages